Microsoft Wants a Digital Geneva Convention

Salam Sheikh-Khalil

Vol. 39 Contributing Editor

Microsoft just called for a monumental shift in international law—at a conference for coders and cryptographers. Brad Smith, Microsoft’s President and Chief Legal Officer, delivered the keynote address at February’s RSA Conference in San Francisco, urging governments to create a “Digital Geneva Convention”.[1]

The vulnerability of companies and customers to state-sponsored hacking is acute, Smith argued.[2] The 2014 North Korean hacking of Sony Pictures marked one startling incident; China’s thefts of American companies’ intellectual property, another. And the allegedly Russian-sponsored hacking of the Democratic National Committee remains fresh in the public’s mind. Even in state-on-state digital espionage, privately-owned property like submarine cables, data centers, laptops is often hit in the crossfire—sometimes intentionally, sometimes as collateral damage.[3] Moreover, because 90% of the Internet’s infrastructure is managed by the private sector[4], “[a] cyber-attack by one nation-state is met initially not by a response from another nation-state, but by private citizens.”[5]

Report vulnerabilities to vendors rather than stockpile, sell, or exploit them.

Exercise restraint in developing cyberweapons and ensure that any developed are limited, precise, and not reusable.

Commit nonproliferation activities to cyberweapons.

Limit offensive operations to avoid a mass event.

In a ratified convention, these would become binding legal obligations.[7]

Second, and to help enforce the convention, Microsoft recommends the creation of an independent organization to investigate and publicly share evidence attributing attacks to specific countries. Similar to the International Atomic Energy Agency (IAEA), this entity would hopefully shame states into compliance with the convention.[8]

Third, Microsoft calls on the technology sector to become a “digital Switzerland”—a neutral space insulated from state cyber-hostilities. [9] Companies should protect and assist all of their customers in case of cyber-attacks, anywhere in the world, and regardless of the attackers’ identities.[10]

The Budapest Convention on Cybercrime (2001) defines a number of computer-related crimes—including hacking for economic benefit—and facilitates international cooperation among law enforcement agencies.[11] More recently, in 2014, the UN General Assembly charged a group of governmental experts with developing updated global cybersecurity norms. Among the group’s eventual recommendations were prohibitions on government engagement in malicious activities or intentionally damaging critical infrastructure using information and communications technology.[12]

Individual states have affirmed these values, too. In September 2015, the U.S. and China pledged to abstain from “cyber-enabled theft of intellectual property…with the intent of providing competitive advantages to companies or commercial sectors” against each other.[13] Two months later, the G20 Summit also voiced its support for this same pledge.[14]

Nor is it unheard of for a private company to urge changes in international law. Google and Facebook have lobbied the U.S. Federal Communications Commission to support international measures improving Internet access.[15] Tech companies also lobbied heavily both for and against the Trans-Pacific Partnership (TPP) trade agreement.[16] Whether a company has ever initiated a proposal for an international convention or treaty is unclear. But the fact that this idea originated with a corporate behemoth like Microsoft (and other cybersecurity experts) should not decrease the likelihood of implementation.

The bigger risk to a potential Digital Geneva Convention, if the idea gets off the ground, is international disagreement about its substance. Some experts worry that authoritarian nations will try to legitimize their censorship and control of the Internet by creating loopholes to the treaty.[17] Others support Microsoft’s call for restrained development of cyber weapons, seeing an outright ban as impossible.[18] Enforcement of the treaty would also be difficult—unlike nuclear weapons, for instance, states could easily conceal hacking facilities or hackers’ connections to governments.[19] An IAEA-like cyber monitor would struggle to get permission to enter a government’s computer systems in an investigation. Moreover, some states might resist ratifying a Digital Geneva Convention, instead increasing their competitive cyber-advantage while other states pledge restraint.[20]

Next Steps

Despite these hurdles, Microsoft’s call for a Digital Geneva Convention has been supported by cybersecurity experts.[21] 2017 presents several opportunities for the idea to gain traction.[22] The 12th International Governance Forum—a gathering of government, academic, and private sector stakeholders—is one major venue to push the idea forward. Additionally, the UN’s Group of Governmental Experts will need to report again on cybersecurity norms to the General Assembly this year.[23] The Group might consider Microsoft’s proposals as it drafts.

As Microsoft itself acknowledges, an international agreement would not be enough to protect against state-sponsored cyber-attacks. In fact, its third proposal, for a “digital Switzerland”, is perhaps the likeliest to succeed; the private sector can adopt standards for itself faster than the international community. Still, Microsoft’s proposal is heartening to cybersecurity advocates. By sparking a dialogue between the private and public sectors, on an idea of grandiose scale, Microsoft has brought state-sponsored attacks on companies and customers into the sunlight and might just spark enough dialogue to radically move international law.

[12] U.N. General Assembly, Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, ¶ (f), U.N. Doc. A/70/174, at 8/17 (July 22, 2015).

[13] The White House – Office of the Press Secretary, Fact Sheet: President Xi Jinping’s State Visit to the United States, (Sept. 25, 2015), https://obamawhitehouse.archives.gov/the-press-office/2015/09/25/fact-sheet-president-xi-jinpings-state-visit-united-states.

[18] Bruce Schneier, An International Cyberwar Treaty is the Only Way to Stem the Threat, U.S. News & World Report (June 8, 2012, 4:14 PM), https://www.usnews.com/debate-club/should-there-be-an-international-treaty-on-cyberwarfare/an-international-cyberwar-treaty-is-the-only-way-to-stem-the-threat.

[23] U.N. Office for Disarmament Affairs, Developments in the Field of Information and Telecommunications in the Context of International Security, https://www.un.org/disarmament/topics/informationsecurity/.

Share:

This website contains views and opinions published by members of the Journal’s editorial team on issues germane to the Journal’s area of focus. The views expressed on this website and in individual posts represent the views of the post’s author(s) only.